-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: cookie is not set if the host address is localhost:4320 #632
base: master
Are you sure you want to change the base?
Conversation
Let's pull this one into master |
I added some comments can you see them?
…On Sat, 18 May 2024, 11:46 m-fedosov, ***@***.***> wrote:
Let's pull this one into master
—
Reply to this email directly, view it on GitHub
<#632 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWL6PN4XZ35GCOA2IVDZC4WQ3AVCNFSM6AAAAABHRZAEQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJYG43TGNBXGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Hmm, I don't see any comments. |
Odd, I'll try again tomorrow then.
…On Sun, 19 May 2024, 21:25 m-fedosov, ***@***.***> wrote:
Hmm, I don't see any comments.
—
Reply to this email directly, view it on GitHub
<#632 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4SWN3CFD5J3MQR74VBD3ZDEDCLAVCNFSM6AAAAABHRZAEQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJZGM2DSOJUHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@@ -4,6 +4,7 @@ | |||
|
|||
if ($_SERVER['REQUEST_METHOD'] == "POST") { | |||
$cookie_value = sha1(mt_rand() . time() . "Impossible"); | |||
setcookie("dvwaSession", $cookie_value, time()+3600, "/vulnerabilities/weak_id/", $_SERVER['HTTP_HOST'], true, true); | |||
$domain = ($_SERVER['SERVER_NAME'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why aren't you setting it if it is localhost?
The default according to the manual should be an empty string, not false.
Would it make sense to do an equals check and reverse the two value fields? That would read better to me.
I hadn't clicked enough save buttons. |
This solution is better than #631 since it sets a cookie even on a subdomain